Unusual Web Request

calendar Aug 22, 2023 · Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning Tactic: Command and Control  ·
Share on: linkedin copy

A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to
14initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise
15or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted
16users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload.
17When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for
18command-and-control communication. When rare URLs are observed being requested for a local web server by a remote
19source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers
20which are part of common Internet background traffic.
21"""
22false_positives = [
23    """
24    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical
25    support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger
26    this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this
27    when they are used sparsely. Web domains can be excluded in cases such as these.
28    """,
29]
30from = "now-45m"
31interval = "15m"
32license = "Elastic License v2"
33machine_learning_job_id = "packetbeat_rare_urls"
34name = "Unusual Web Request"
35references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
36risk_score = 21
37rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
38severity = "low"
39tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"]
40type = "machine_learning"
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1071"
46name = "Application Layer Protocol"
47reference = "https://attack.mitre.org/techniques/T1071/"
48
49
50    [[rule.threat.technique.subtechnique]]
51    id = "T1071.001"
52    name = "Web Protocols"
53    reference = "https://attack.mitre.org/techniques/T1071/001/"
54
55
56[rule.threat.tactic]
57id = "TA0011"
58name = "Command and Control"
59reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top